@wireapp/core-crypto 1.0.0-rc.20 → 1.0.0-rc.22

package/README.md

@@ -92,7 +92,7 @@ cargo make "copy-jvm-resources"
 cargo make "copy-android-resources"
 
 # builds iOS framework
-cargo make "create-swift-package"
+cargo make "ios-create-xcframework"
 
 # builds wasm binary & TS bindings
 cargo make wasm

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wireapp/core-crypto",
-  "version": "1.0.0-rc.20",
+  "version": "1.0.0-rc.22",
   "description": "CoreCrypto bindings for the Web",
   "type": "module",
   "module": "platforms/web/corecrypto.js",

package/platforms/web/corecrypto.d.ts

@@ -679,6 +679,10 @@ export interface CoreCryptoCallbacks {
  */
 export declare class CoreCrypto {
 	#private;
+	/**
+	 * Should only be used internally
+	 */
+	inner(): unknown;
 	/**
 	 * This is your entrypoint to initialize {@link CoreCrypto}!
 	 *
@@ -1204,7 +1208,7 @@ export declare class CoreCrypto {
 	 * Creates an enrollment instance with private key material you can use in order to fetch
 	 * a new x509 certificate from the acme server.
 	 *
-	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `t6wRpI8BRSeviBwwiFp5MQ:6add501bacd1d90e@example.com`
+	 * @param clientId - client identifier e.g. `b7ac11a4-8f01-4527-af88-1c30885a7931:6add501bacd1d90e@example.com`
 	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
 	 * @param expiryDays - generated x509 certificate expiry
@@ -1217,7 +1221,6 @@ export declare class CoreCrypto {
 	 * Generates an E2EI enrollment instance for a "regular" client (with a Basic credential) willing to migrate to E2EI.
 	 * Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `t6wRpI8BRSeviBwwiFp5MQ:6add501bacd1d90e@example.com`
 	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
 	 * @param handle - user handle e.g. `alice.smith.qa@example.com`
 	 * @param expiryDays - generated x509 certificate expiry
@@ -1225,14 +1228,13 @@ export declare class CoreCrypto {
 	 * @param team - name of the Wire team a user belongs to
 	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewActivationEnrollment(clientId: string, displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
+	e2eiNewActivationEnrollment(displayName: string, handle: string, expiryDays: number, ciphersuite: Ciphersuite, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Generates an E2EI enrollment instance for a E2EI client (with a X509 certificate credential)
 	 * having to change/rotate their credential, either because the former one is expired or it
 	 * has been revoked. It lets you change the DisplayName or the handle
 	 * if you need to. Once the enrollment is finished, use the instance in {@link CoreCrypto.e2eiRotateAll} to do the rotation.
 	 *
-	 * @param clientId - client identifier with user b64Url encoded & clientId hex encoded e.g. `t6wRpI8BRSeviBwwiFp5MQ:6add501bacd1d90e@example.com`
 	 * @param expiryDays - generated x509 certificate expiry
 	 * @param ciphersuite - for generating signing key material
 	 * @param displayName - human-readable name displayed in the application e.g. `Smith, Alice M (QA)`
@@ -1240,7 +1242,7 @@ export declare class CoreCrypto {
 	 * @param team - name of the Wire team a user belongs to
 	 * @returns The new {@link E2eiEnrollment} enrollment instance to use with {@link CoreCrypto.e2eiRotateAll}
 	 */
-	e2eiNewRotateEnrollment(clientId: string, expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
+	e2eiNewRotateEnrollment(expiryDays: number, ciphersuite: Ciphersuite, displayName?: string, handle?: string, team?: string): Promise<E2eiEnrollment>;
 	/**
 	 * Use this method to initialize end-to-end identity when a client signs up and the grace period is already expired ;
 	 * that means he cannot initialize with a Basic credential
@@ -1278,7 +1280,7 @@ export declare class CoreCrypto {
 	 */
 	e2eiEnrollmentStashPop(handle: Uint8Array): Promise<E2eiEnrollment>;
 	/**
-	 * Indicates when to mark a conversation as degraded i.e. when not all its members have a X509.
+	 * Indicates when to mark a conversation as not verified i.e. when not all its members have a X509.
 	 * Credential generated by Wire's end-to-end identity enrollment
 	 *
 	 * @param conversationId The group's ID
@@ -1307,10 +1309,19 @@ export declare class CoreCrypto {
 	 * If no member has a x509 certificate, it will return an empty Vec.
 	 *
 	 * @param conversationId - identifier of the conversation
-	 * @param userIds - user identifiers e.g. t6wRpI8BRSeviBwwiFp5MQ which is a base64UrlUnpadded UUIDv4
+	 * @param userIds - user identifiers hyphenated UUIDv4 e.g. 'bd4c7053-1c5a-4020-9559-cd7bf7961954'
 	 * @returns a Map with all the identities for a given users. Consumers are then recommended to reduce those identities to determine the actual status of a user.
 	 */
 	getUserIdentities(conversationId: ConversationId, userIds: string[]): Promise<Map<string, WireIdentity[]>>;
+	/**
+	 * Gets the e2ei conversation state from a `GroupInfo`. Useful to check if the group has e2ei
+	 * turned on or not before joining it.
+	 *
+	 * @param groupInfo - a TLS encoded GroupInfo fetched from the Delivery Service
+	 * @param credentialType - kind of Credential to check usage of. Defaults to X509 for now as no other value will give any result.
+	 * @returns see {@link E2eiConversationState}
+	 */
+	getCredentialInUse(groupInfo: Uint8Array, credentialType?: CredentialType): Promise<E2eiConversationState>;
 	/**
 	 * Returns the current version of {@link CoreCrypto}
 	 *
@@ -1336,7 +1347,7 @@ export declare class E2eiEnrollment {
 	 * @param directory HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.1.1
 	 */
-	directoryResponse(directory: JsonRawData): AcmeDirectory;
+	directoryResponse(directory: JsonRawData): Promise<AcmeDirectory>;
 	/**
 	 * For creating a new acme account. This returns a signed JWS-alike request body to send to
 	 * `POST /acme/{provisioner-name}/new-account`.
@@ -1344,27 +1355,27 @@ export declare class E2eiEnrollment {
 	 * @param previousNonce you got from calling `HEAD {@link AcmeDirectory.newNonce}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	newAccountRequest(previousNonce: string): JsonRawData;
+	newAccountRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-account`.
 	 * @param account HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.3
 	 */
-	newAccountResponse(account: JsonRawData): void;
+	newAccountResponse(account: JsonRawData): Promise<void>;
 	/**
 	 * Creates a new acme order for the handle (userId + display name) and the clientId.
 	 *
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/new-account`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderRequest(previousNonce: string): JsonRawData;
+	newOrderRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/new-order`.
 	 *
 	 * @param order HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	newOrderResponse(order: JsonRawData): NewAcmeOrder;
+	newOrderResponse(order: JsonRawData): Promise<NewAcmeOrder>;
 	/**
 	 * Creates a new authorization request.
 	 *
@@ -1373,14 +1384,14 @@ export declare class E2eiEnrollment {
 	 * previous to this method if you are creating the second authorization)
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	newAuthzRequest(url: string, previousNonce: string): JsonRawData;
+	newAuthzRequest(url: string, previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 *
 	 * @param authz HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5
 	 */
-	newAuthzResponse(authz: JsonRawData): NewAcmeAuthz;
+	newAuthzResponse(authz: JsonRawData): Promise<NewAcmeAuthz>;
 	/**
 	 * Generates a new client Dpop JWT token. It demonstrates proof of possession of the nonces
 	 * (from wire-server & acme server) and will be verified by the acme server when verifying the
@@ -1392,7 +1403,7 @@ export declare class E2eiEnrollment {
 	 * @param expirySecs of the client Dpop JWT. This should be equal to the grace period set in Team Management
 	 * @param backendNonce you get by calling `GET /clients/token/nonce` on wire-server as defined here {@link https://staging-nginz-https.zinfra.io/api/swagger-ui/#/default/get_clients__client__nonce}
 	 */
-	createDpopToken(expirySecs: number, backendNonce: string): Uint8Array;
+	createDpopToken(expirySecs: number, backendNonce: string): Promise<Uint8Array>;
 	/**
 	 * Creates a new challenge request for Wire Dpop challenge.
 	 *
@@ -1400,22 +1411,31 @@ export declare class E2eiEnrollment {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newDpopChallengeRequest(accessToken: string, previousNonce: string): JsonRawData;
+	newDpopChallengeRequest(accessToken: string, previousNonce: string): Promise<JsonRawData>;
+	/**
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the DPoP challenge.
+	 *
+	 * @param challenge HTTP response body
+	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
+	 */
+	newDpopChallengeResponse(challenge: JsonRawData): Promise<void>;
 	/**
 	 * Creates a new challenge request for Wire Oidc challenge.
 	 *
 	 * @param idToken you get back from Identity Provider
+	 * @param refreshToken you get back from Identity Provider to renew the access token
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/authz/{authz-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newOidcChallengeRequest(idToken: string, previousNonce: string): JsonRawData;
+	newOidcChallengeRequest(idToken: string, refreshToken: string, previousNonce: string): Promise<JsonRawData>;
 	/**
-	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}`.
+	 * Parses the response from `POST /acme/{provisioner-name}/challenge/{challenge-id}` for the OIDC challenge.
 	 *
+	 * @param cc the CoreCrypto instance
 	 * @param challenge HTTP response body
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.5.1
 	 */
-	newChallengeResponse(challenge: JsonRawData): void;
+	newOidcChallengeResponse(cc: CoreCrypto, challenge: JsonRawData): Promise<void>;
 	/**
 	 * Verifies that the previous challenge has been completed.
 	 *
@@ -1423,7 +1443,7 @@ export declare class E2eiEnrollment {
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/challenge/{challenge-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	checkOrderRequest(orderUrl: string, previousNonce: string): JsonRawData;
+	checkOrderRequest(orderUrl: string, previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}`.
 	 *
@@ -1431,14 +1451,14 @@ export declare class E2eiEnrollment {
 	 * @return finalize url to use with {@link finalizeRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	checkOrderResponse(order: JsonRawData): string;
+	checkOrderResponse(order: JsonRawData): Promise<string>;
 	/**
 	 * Final step before fetching the certificate.
 	 *
 	 * @param previousNonce - `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeRequest(previousNonce: string): JsonRawData;
+	finalizeRequest(previousNonce: string): Promise<JsonRawData>;
 	/**
 	 * Parses the response from `POST /acme/{provisioner-name}/order/{order-id}/finalize`.
 	 *
@@ -1446,14 +1466,20 @@ export declare class E2eiEnrollment {
 	 * @return the certificate url to use with {@link certificateRequest}
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4
 	 */
-	finalizeResponse(finalize: JsonRawData): string;
+	finalizeResponse(finalize: JsonRawData): Promise<string>;
 	/**
 	 * Creates a request for finally fetching the x509 certificate.
 	 *
 	 * @param previousNonce `replay-nonce` response header from `POST /acme/{provisioner-name}/order/{order-id}/finalize`
 	 * @see https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4.2
 	 */
-	certificateRequest(previousNonce: string): JsonRawData;
+	certificateRequest(previousNonce: string): Promise<JsonRawData>;
+	/**
+	 * Lets clients retrieve the OIDC refresh token to try to renew the user's authorization.
+	 * If it's expired, the user needs to reauthenticate and they will update the refresh token
+	 * in {@link newOidcChallengeRequest}
+	 */
+	getRefreshToken(): Promise<String>;
 }
 /**
  * Indicates the state of a Conversation regarding end-to-end identity.
@@ -1468,9 +1494,9 @@ export declare enum E2eiConversationState {
 	/**
 	 * Some clients are either still Basic or their certificate is expired
 	 */
-	Degraded = 2,
+	NotVerified = 2,
 	/**
-	 * All clients are still Basic. If all client have expired certificates, Degraded is returned.
+	 * All clients are still Basic. If all client have expired certificates, NotVerified is returned.
 	 */
 	NotEnabled = 3
 }

package/platforms/web/corecrypto.js

@@ -27,6 +27,10 @@ var getUint8Memory0 = function() {
   }
   return cachedUint8Memory0;
 };
+var getStringFromWasm0 = function(ptr, len) {
+  ptr = ptr >>> 0;
+  return cachedTextDecoder.decode(getUint8Memory0().subarray(ptr, ptr + len));
+};
 var passStringToWasm0 = function(arg, malloc, realloc) {
   if (realloc === undefined) {
     const buf = cachedTextEncoder.encode(arg);
@@ -72,10 +76,6 @@ var getFloat64Memory0 = function() {
   }
   return cachedFloat64Memory0;
 };
-var getStringFromWasm0 = function(ptr, len) {
-  ptr = ptr >>> 0;
-  return cachedTextDecoder.decode(getUint8Memory0().subarray(ptr, ptr + len));
-};
 var getBigInt64Memory0 = function() {
   if (cachedBigInt64Memory0 === null || cachedBigInt64Memory0.byteLength === 0) {
     cachedBigInt64Memory0 = new BigInt64Array(wasm.memory.buffer);
@@ -156,13 +156,13 @@ var makeMutClosure = function(arg0, arg1, dtor, f) {
   real.original = state;
   return real;
 };
-var __wbg_adapter_52 = function(arg0, arg1, arg2) {
-  wasm.wasm_bindgen__convert__closures__invoke1_mut__h0b5345ebc12af5e6(arg0, arg1, addHeapObject(arg2));
+var __wbg_adapter_54 = function(arg0, arg1, arg2) {
+  wasm.wasm_bindgen__convert__closures__invoke1_mut__hee2344b2c4dec822(arg0, arg1, addHeapObject(arg2));
 };
-var __wbg_adapter_55 = function(arg0, arg1, arg2) {
+var __wbg_adapter_57 = function(arg0, arg1, arg2) {
   try {
     const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-    wasm.wasm_bindgen__convert__closures__invoke1_mut__h6255f70396e441c6(retptr, arg0, arg1, addHeapObject(arg2));
+    wasm.wasm_bindgen__convert__closures__invoke1_mut__h0822694acdee5799(retptr, arg0, arg1, addHeapObject(arg2));
     var r0 = getInt32Memory0()[retptr / 4 + 0];
     var r1 = getInt32Memory0()[retptr / 4 + 1];
     if (r1) {
@@ -232,8 +232,8 @@ var handleError = function(f, args) {
     wasm.__wbindgen_exn_store(addHeapObject(e));
   }
 };
-var __wbg_adapter_395 = function(arg0, arg1, arg2, arg3) {
-  wasm.wasm_bindgen__convert__closures__invoke2_mut__h636d2f832c212b5e(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
+var __wbg_adapter_406 = function(arg0, arg1, arg2, arg3) {
+  wasm.wasm_bindgen__convert__closures__invoke2_mut__hb07ea52845d244dd(arg0, arg1, addHeapObject(arg2), addHeapObject(arg3));
 };
 async function __wbg_load(module, imports) {
   if (typeof Response === "function" && module instanceof Response) {
@@ -262,49 +262,65 @@ async function __wbg_load(module, imports) {
 var __wbg_get_imports = function() {
   const imports = {};
   imports.wbg = {};
-  imports.wbg.__wbindgen_number_new = function(arg0) {
-    const ret = arg0;
+  imports.wbg.__wbg_proteusautoprekeybundle_new = function(arg0) {
+    const ret = ProteusAutoPrekeyBundle.__wrap(arg0);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbg_ffiwiree2eidentity_new = function(arg0) {
-    const ret = FfiWireE2EIdentity.__wrap(arg0);
+  imports.wbg.__wbg_acmedirectory_new = function(arg0) {
+    const ret = AcmeDirectory.__wrap(arg0);
     return addHeapObject(ret);
   };
   imports.wbg.__wbg_proposalbundle_new = function(arg0) {
     const ret = ProposalBundle.__wrap(arg0);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbg_buffereddecryptedmessage_new = function(arg0) {
-    const ret = BufferedDecryptedMessage.__wrap(arg0);
+  imports.wbg.__wbg_newacmeauthz_new = function(arg0) {
+    const ret = NewAcmeAuthz.__wrap(arg0);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbg_proteusautoprekeybundle_new = function(arg0) {
-    const ret = ProteusAutoPrekeyBundle.__wrap(arg0);
+  imports.wbg.__wbg_commitbundle_new = function(arg0) {
+    const ret = CommitBundle.__wrap(arg0);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbindgen_object_drop_ref = function(arg0) {
-    takeObject(arg0);
+  imports.wbg.__wbg_newacmeorder_new = function(arg0) {
+    const ret = NewAcmeOrder.__wrap(arg0);
+    return addHeapObject(ret);
   };
-  imports.wbg.__wbg_commitbundle_new = function(arg0) {
-    const ret = CommitBundle.__wrap(arg0);
+  imports.wbg.__wbindgen_number_new = function(arg0) {
+    const ret = arg0;
+    return addHeapObject(ret);
+  };
+  imports.wbg.__wbg_buffereddecryptedmessage_new = function(arg0) {
+    const ret = BufferedDecryptedMessage.__wrap(arg0);
     return addHeapObject(ret);
   };
   imports.wbg.__wbg_corecrypto_new = function(arg0) {
     const ret = CoreCrypto.__wrap(arg0);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbindgen_object_clone_ref = function(arg0) {
-    const ret = getObject(arg0);
+  imports.wbg.__wbg_ffiwiree2eidentity_new = function(arg0) {
+    const ret = FfiWireE2EIdentity.__wrap(arg0);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbindgen_bigint_from_u64 = function(arg0) {
-    const ret = BigInt.asUintN(64, arg0);
+  imports.wbg.__wbindgen_object_drop_ref = function(arg0) {
+    takeObject(arg0);
+  };
+  imports.wbg.__wbindgen_object_clone_ref = function(arg0) {
+    const ret = getObject(arg0);
     return addHeapObject(ret);
   };
   imports.wbg.__wbindgen_is_null = function(arg0) {
     const ret = getObject(arg0) === null;
     return ret;
   };
+  imports.wbg.__wbindgen_string_new = function(arg0, arg1) {
+    const ret = getStringFromWasm0(arg0, arg1);
+    return addHeapObject(ret);
+  };
+  imports.wbg.__wbindgen_bigint_from_u64 = function(arg0) {
+    const ret = BigInt.asUintN(64, arg0);
+    return addHeapObject(ret);
+  };
   imports.wbg.__wbindgen_string_get = function(arg0, arg1) {
     const obj = getObject(arg1);
     const ret = typeof obj === "string" ? obj : undefined;
@@ -349,10 +365,6 @@ var __wbg_get_imports = function() {
     const ret = typeof val === "object" && val !== null;
     return ret;
   };
-  imports.wbg.__wbindgen_string_new = function(arg0, arg1) {
-    const ret = getStringFromWasm0(arg0, arg1);
-    return addHeapObject(ret);
-  };
   imports.wbg.__wbg_queueMicrotask_adae4bc085237231 = function(arg0) {
     const ret = getObject(arg0).queueMicrotask;
     return addHeapObject(ret);
@@ -385,18 +397,22 @@ var __wbg_get_imports = function() {
     const ret = getObject(arg0) == getObject(arg1);
     return ret;
   };
-  imports.wbg.__wbg_String_917f38a1211cf44b = function(arg0, arg1) {
+  imports.wbg.__wbindgen_as_number = function(arg0) {
+    const ret = +getObject(arg0);
+    return ret;
+  };
+  imports.wbg.__wbg_String_389b54bd9d25375f = function(arg0, arg1) {
     const ret = String(getObject(arg1));
     const ptr1 = passStringToWasm0(ret, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     const len1 = WASM_VECTOR_LEN;
     getInt32Memory0()[arg0 / 4 + 1] = len1;
     getInt32Memory0()[arg0 / 4 + 0] = ptr1;
   };
-  imports.wbg.__wbg_getwithrefkey_3b3c46ba20582127 = function(arg0, arg1) {
+  imports.wbg.__wbg_getwithrefkey_4a92a5eca60879b9 = function(arg0, arg1) {
     const ret = getObject(arg0)[getObject(arg1)];
     return addHeapObject(ret);
   };
-  imports.wbg.__wbg_set_8761474ad72b9bf1 = function(arg0, arg1, arg2) {
+  imports.wbg.__wbg_set_9182712abebf82ef = function(arg0, arg1, arg2) {
     getObject(arg0)[takeObject(arg1)] = takeObject(arg2);
   };
   imports.wbg.__wbindgen_is_falsy = function(arg0) {
@@ -870,7 +886,7 @@ var __wbg_get_imports = function() {
         const a = state0.a;
         state0.a = 0;
         try {
-          return __wbg_adapter_395(a, state0.b, arg02, arg12);
+          return __wbg_adapter_406(a, state0.b, arg02, arg12);
         } finally {
           state0.a = a;
         }
@@ -950,12 +966,12 @@ var __wbg_get_imports = function() {
     const ret = wasm.memory;
     return addHeapObject(ret);
   };
-  imports.wbg.__wbindgen_closure_wrapper2198 = function(arg0, arg1, arg2) {
-    const ret = makeMutClosure(arg0, arg1, 356, __wbg_adapter_52);
+  imports.wbg.__wbindgen_closure_wrapper2304 = function(arg0, arg1, arg2) {
+    const ret = makeMutClosure(arg0, arg1, 424, __wbg_adapter_54);
     return addHeapObject(ret);
   };
-  imports.wbg.__wbindgen_closure_wrapper9921 = function(arg0, arg1, arg2) {
-    const ret = makeMutClosure(arg0, arg1, 1327, __wbg_adapter_55);
+  imports.wbg.__wbindgen_closure_wrapper10033 = function(arg0, arg1, arg2) {
+    const ret = makeMutClosure(arg0, arg1, 1396, __wbg_adapter_57);
     return addHeapObject(ret);
   };
   return imports;
@@ -991,8 +1007,14 @@ var wasm;
 var heap = new Array(128).fill(undefined);
 heap.push(undefined, null, true, false);
 var heap_next = heap.length;
-var WASM_VECTOR_LEN = 0;
+var cachedTextDecoder = typeof TextDecoder !== "undefined" ? new TextDecoder("utf-8", { ignoreBOM: true, fatal: true }) : { decode: () => {
+  throw Error("TextDecoder not available");
+} };
+if (typeof TextDecoder !== "undefined") {
+  cachedTextDecoder.decode();
+}
 var cachedUint8Memory0 = null;
+var WASM_VECTOR_LEN = 0;
 var cachedTextEncoder = typeof TextEncoder !== "undefined" ? new TextEncoder("utf-8") : { encode: () => {
   throw Error("TextEncoder not available");
 } };
@@ -1008,12 +1030,6 @@ var encodeString = typeof cachedTextEncoder.encodeInto === "function" ? function
 };
 var cachedInt32Memory0 = null;
 var cachedFloat64Memory0 = null;
-var cachedTextDecoder = typeof TextDecoder !== "undefined" ? new TextDecoder("utf-8", { ignoreBOM: true, fatal: true }) : { decode: () => {
-  throw Error("TextDecoder not available");
-} };
-if (typeof TextDecoder !== "undefined") {
-  cachedTextDecoder.decode();
-}
 var cachedBigInt64Memory0 = null;
 var cachedUint32Memory0 = null;
 var cachedUint16Memory0 = null;
@@ -1031,6 +1047,12 @@ var CredentialType = Object.freeze({
   X509: 2,
   "2": "X509"
 });
+var WirePolicy = Object.freeze({
+  Plaintext: 1,
+  "1": "Plaintext",
+  Ciphertext: 2,
+  "2": "Ciphertext"
+});
 var Ciphersuite = Object.freeze({
   MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519: 1,
   "1": "MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519",
@@ -1049,12 +1071,6 @@ var Ciphersuite = Object.freeze({
   MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519: 61489,
   "61489": "MLS_128_X25519KYBER768DRAFT00_AES128GCM_SHA256_Ed25519"
 });
-var WirePolicy = Object.freeze({
-  Plaintext: 1,
-  "1": "Plaintext",
-  Ciphertext: 2,
-  "2": "Ciphertext"
-});
 
 class AcmeChallenge {
   static __wrap(ptr) {
@@ -1341,28 +1357,24 @@ class CoreCrypto {
     const ret = wasm.corecrypto_e2ei_new_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3, expiry_days, ciphersuite);
     return takeObject(ret);
   }
-  e2ei_new_activation_enrollment(client_id, display_name, handle, team, expiry_days, ciphersuite) {
-    const ptr0 = passStringToWasm0(client_id, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+  e2ei_new_activation_enrollment(display_name, handle, team, expiry_days, ciphersuite) {
+    const ptr0 = passStringToWasm0(display_name, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     const len0 = WASM_VECTOR_LEN;
-    const ptr1 = passStringToWasm0(display_name, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const ptr1 = passStringToWasm0(handle, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     const len1 = WASM_VECTOR_LEN;
-    const ptr2 = passStringToWasm0(handle, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-    const len2 = WASM_VECTOR_LEN;
-    var ptr3 = isLikeNone(team) ? 0 : passStringToWasm0(team, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-    var len3 = WASM_VECTOR_LEN;
-    const ret = wasm.corecrypto_e2ei_new_activation_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3, expiry_days, ciphersuite);
+    var ptr2 = isLikeNone(team) ? 0 : passStringToWasm0(team, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var len2 = WASM_VECTOR_LEN;
+    const ret = wasm.corecrypto_e2ei_new_activation_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, expiry_days, ciphersuite);
     return takeObject(ret);
   }
-  e2ei_new_rotate_enrollment(client_id, display_name, handle, team, expiry_days, ciphersuite) {
-    const ptr0 = passStringToWasm0(client_id, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-    const len0 = WASM_VECTOR_LEN;
-    var ptr1 = isLikeNone(display_name) ? 0 : passStringToWasm0(display_name, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+  e2ei_new_rotate_enrollment(display_name, handle, team, expiry_days, ciphersuite) {
+    var ptr0 = isLikeNone(display_name) ? 0 : passStringToWasm0(display_name, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var len0 = WASM_VECTOR_LEN;
+    var ptr1 = isLikeNone(handle) ? 0 : passStringToWasm0(handle, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     var len1 = WASM_VECTOR_LEN;
-    var ptr2 = isLikeNone(handle) ? 0 : passStringToWasm0(handle, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    var ptr2 = isLikeNone(team) ? 0 : passStringToWasm0(team, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     var len2 = WASM_VECTOR_LEN;
-    var ptr3 = isLikeNone(team) ? 0 : passStringToWasm0(team, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-    var len3 = WASM_VECTOR_LEN;
-    const ret = wasm.corecrypto_e2ei_new_rotate_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, ptr3, len3, expiry_days, ciphersuite);
+    const ret = wasm.corecrypto_e2ei_new_rotate_enrollment(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2, expiry_days, ciphersuite);
     return takeObject(ret);
   }
   e2ei_mls_init_only(enrollment, certificate_chain, nb_key_package) {
@@ -1419,6 +1431,12 @@ class CoreCrypto {
     const ret = wasm.corecrypto_get_user_identities(this.__wbg_ptr, ptr0, len0, ptr1, len1);
     return takeObject(ret);
   }
+  get_credential_in_use(group_info, credential_type) {
+    const ptr0 = passArray8ToWasm0(group_info, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.corecrypto_get_credential_in_use(this.__wbg_ptr, ptr0, len0, credential_type);
+    return takeObject(ret);
+  }
   static version() {
     let deferred1_0;
     let deferred1_1;
@@ -1901,292 +1919,108 @@ class FfiWireE2EIdentity {
     wasm.__wbg_ffiwiree2eidentity_free(ptr);
   }
   directory_response(directory) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passArray8ToWasm0(directory, wasm.__wbindgen_malloc);
-      const len0 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_directory_response(retptr, this.__wbg_ptr, ptr0, len0);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return AcmeDirectory.__wrap(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passArray8ToWasm0(directory, wasm.__wbindgen_malloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_directory_response(this.__wbg_ptr, ptr0, len0);
+    return takeObject(ret);
   }
   new_account_request(previous_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_new_account_request(retptr, this.__wbg_ptr, ptr0, len0);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_new_account_request(this.__wbg_ptr, ptr0, len0);
+    return takeObject(ret);
   }
   new_account_response(account) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      wasm.ffiwiree2eidentity_new_account_response(retptr, this.__wbg_ptr, addHeapObject(account));
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ret = wasm.ffiwiree2eidentity_new_account_response(this.__wbg_ptr, addHeapObject(account));
+    return takeObject(ret);
   }
   new_order_request(previous_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_new_order_request(retptr, this.__wbg_ptr, ptr0, len0);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_new_order_request(this.__wbg_ptr, ptr0, len0);
+    return takeObject(ret);
   }
   new_order_response(order) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      wasm.ffiwiree2eidentity_new_order_response(retptr, this.__wbg_ptr, addHeapObject(order));
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return NewAcmeOrder.__wrap(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ret = wasm.ffiwiree2eidentity_new_order_response(this.__wbg_ptr, addHeapObject(order));
+    return takeObject(ret);
   }
   new_authz_request(url, previous_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(url, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      const ptr1 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len1 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_new_authz_request(retptr, this.__wbg_ptr, ptr0, len0, ptr1, len1);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passStringToWasm0(url, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_new_authz_request(this.__wbg_ptr, ptr0, len0, ptr1, len1);
+    return takeObject(ret);
   }
   new_authz_response(authz) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      wasm.ffiwiree2eidentity_new_authz_response(retptr, this.__wbg_ptr, addHeapObject(authz));
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return NewAcmeAuthz.__wrap(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ret = wasm.ffiwiree2eidentity_new_authz_response(this.__wbg_ptr, addHeapObject(authz));
+    return takeObject(ret);
   }
   create_dpop_token(expiry_secs, backend_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(backend_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_create_dpop_token(retptr, this.__wbg_ptr, expiry_secs, ptr0, len0);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passStringToWasm0(backend_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_create_dpop_token(this.__wbg_ptr, expiry_secs, ptr0, len0);
+    return takeObject(ret);
   }
   new_dpop_challenge_request(access_token, previous_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(access_token, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      const ptr1 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len1 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_new_dpop_challenge_request(retptr, this.__wbg_ptr, ptr0, len0, ptr1, len1);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passStringToWasm0(access_token, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_new_dpop_challenge_request(this.__wbg_ptr, ptr0, len0, ptr1, len1);
+    return takeObject(ret);
   }
-  new_oidc_challenge_request(id_token, previous_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(id_token, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      const ptr1 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len1 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_new_oidc_challenge_request(retptr, this.__wbg_ptr, ptr0, len0, ptr1, len1);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+  new_dpop_challenge_response(challenge) {
+    const ret = wasm.ffiwiree2eidentity_new_dpop_challenge_response(this.__wbg_ptr, addHeapObject(challenge));
+    return takeObject(ret);
   }
-  new_challenge_response(challenge) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      wasm.ffiwiree2eidentity_new_challenge_response(retptr, this.__wbg_ptr, addHeapObject(challenge));
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+  new_oidc_challenge_request(id_token, refresh_token, previous_nonce) {
+    const ptr0 = passStringToWasm0(id_token, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(refresh_token, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ptr2 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len2 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_new_oidc_challenge_request(this.__wbg_ptr, ptr0, len0, ptr1, len1, ptr2, len2);
+    return takeObject(ret);
+  }
+  new_oidc_challenge_response(cc, challenge) {
+    _assertClass(cc, CoreCrypto);
+    var ptr0 = cc.__destroy_into_raw();
+    const ret = wasm.ffiwiree2eidentity_new_oidc_challenge_response(this.__wbg_ptr, ptr0, addHeapObject(challenge));
+    return takeObject(ret);
   }
   check_order_request(order_url, previous_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(order_url, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      const ptr1 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len1 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_check_order_request(retptr, this.__wbg_ptr, ptr0, len0, ptr1, len1);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passStringToWasm0(order_url, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ptr1 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len1 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_check_order_request(this.__wbg_ptr, ptr0, len0, ptr1, len1);
+    return takeObject(ret);
   }
   check_order_response(order) {
-    let deferred2_0;
-    let deferred2_1;
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      wasm.ffiwiree2eidentity_check_order_response(retptr, this.__wbg_ptr, addHeapObject(order));
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      var r3 = getInt32Memory0()[retptr / 4 + 3];
-      var ptr1 = r0;
-      var len1 = r1;
-      if (r3) {
-        ptr1 = 0;
-        len1 = 0;
-        throw takeObject(r2);
-      }
-      deferred2_0 = ptr1;
-      deferred2_1 = len1;
-      return getStringFromWasm0(ptr1, len1);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-      wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
-    }
+    const ret = wasm.ffiwiree2eidentity_check_order_response(this.__wbg_ptr, addHeapObject(order));
+    return takeObject(ret);
   }
   finalize_request(previous_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_finalize_request(retptr, this.__wbg_ptr, ptr0, len0);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_finalize_request(this.__wbg_ptr, ptr0, len0);
+    return takeObject(ret);
   }
   finalize_response(finalize) {
-    let deferred2_0;
-    let deferred2_1;
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      wasm.ffiwiree2eidentity_finalize_response(retptr, this.__wbg_ptr, addHeapObject(finalize));
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      var r3 = getInt32Memory0()[retptr / 4 + 3];
-      var ptr1 = r0;
-      var len1 = r1;
-      if (r3) {
-        ptr1 = 0;
-        len1 = 0;
-        throw takeObject(r2);
-      }
-      deferred2_0 = ptr1;
-      deferred2_1 = len1;
-      return getStringFromWasm0(ptr1, len1);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-      wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
-    }
+    const ret = wasm.ffiwiree2eidentity_finalize_response(this.__wbg_ptr, addHeapObject(finalize));
+    return takeObject(ret);
   }
   certificate_request(previous_nonce) {
-    try {
-      const retptr = wasm.__wbindgen_add_to_stack_pointer(-16);
-      const ptr0 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
-      const len0 = WASM_VECTOR_LEN;
-      wasm.ffiwiree2eidentity_certificate_request(retptr, this.__wbg_ptr, ptr0, len0);
-      var r0 = getInt32Memory0()[retptr / 4 + 0];
-      var r1 = getInt32Memory0()[retptr / 4 + 1];
-      var r2 = getInt32Memory0()[retptr / 4 + 2];
-      if (r2) {
-        throw takeObject(r1);
-      }
-      return takeObject(r0);
-    } finally {
-      wasm.__wbindgen_add_to_stack_pointer(16);
-    }
+    const ptr0 = passStringToWasm0(previous_nonce, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.ffiwiree2eidentity_certificate_request(this.__wbg_ptr, ptr0, len0);
+    return takeObject(ret);
+  }
+  get_refresh_token() {
+    const ret = wasm.ffiwiree2eidentity_get_refresh_token(this.__wbg_ptr);
+    return takeObject(ret);
   }
 }
 
@@ -2584,6 +2418,9 @@ var ExternalProposalType;
 class CoreCrypto2 {
   static #module;
   #cc;
+  inner() {
+    return this.#cc;
+  }
   static #assertModuleLoaded() {
     if (!this.#module) {
       throw new Error("Internal module hasn't been initialized. Please use `await CoreCrypto.init(params)` or `await CoreCrypto.deferredInit(params)` !");
@@ -2667,7 +2504,12 @@ class CoreCrypto2 {
   }
   async createConversation(conversationId, creatorCredentialType, configuration = {}) {
     try {
-      const { ciphersuite, externalSenders, custom = {}, perDomainTrustAnchors = [] } = configuration || {};
+      const {
+        ciphersuite,
+        externalSenders,
+        custom = {},
+        perDomainTrustAnchors = []
+      } = configuration || {};
       const config = new ConversationConfiguration(ciphersuite, externalSenders, custom?.keyRotationSpan, custom?.wirePolicy, perDomainTrustAnchors);
       const ret = await CoreCryptoError.asyncMapErr(this.#cc.create_conversation(conversationId, creatorCredentialType, config));
       return ret;
@@ -2972,12 +2814,12 @@ class CoreCrypto2 {
     const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_enrollment(clientId, displayName, handle, team, expiryDays, ciphersuite));
     return new E2eiEnrollment(e2ei);
   }
-  async e2eiNewActivationEnrollment(clientId, displayName, handle, expiryDays, ciphersuite, team) {
-    const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_activation_enrollment(clientId, displayName, handle, team, expiryDays, ciphersuite));
+  async e2eiNewActivationEnrollment(displayName, handle, expiryDays, ciphersuite, team) {
+    const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_activation_enrollment(displayName, handle, team, expiryDays, ciphersuite));
     return new E2eiEnrollment(e2ei);
   }
-  async e2eiNewRotateEnrollment(clientId, expiryDays, ciphersuite, displayName, handle, team) {
-    const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_rotate_enrollment(clientId, displayName, handle, team, expiryDays, ciphersuite));
+  async e2eiNewRotateEnrollment(expiryDays, ciphersuite, displayName, handle, team) {
+    const e2ei = await CoreCryptoError.asyncMapErr(this.#cc.e2ei_new_rotate_enrollment(displayName, handle, team, expiryDays, ciphersuite));
     return new E2eiEnrollment(e2ei);
   }
   async e2eiMlsInitOnly(enrollment, certificateChain, nbKeyPackage) {
@@ -3012,6 +2854,10 @@ class CoreCrypto2 {
   async getUserIdentities(conversationId, userIds) {
     return await CoreCryptoError.asyncMapErr(this.#cc.get_user_identities(conversationId, userIds));
   }
+  async getCredentialInUse(groupInfo, credentialType = CredentialType2.X509) {
+    let state = await CoreCryptoError.asyncMapErr(this.#cc.get_credential_in_use(groupInfo, credentialType));
+    return E2eiConversationState[E2eiConversationState[state]];
+  }
   static version() {
     this.#assertModuleLoaded();
     return CoreCrypto.version();
@@ -3029,123 +2875,65 @@ class E2eiEnrollment {
   inner() {
     return this.#enrollment;
   }
-  directoryResponse(directory) {
-    try {
-      return this.#enrollment.directory_response(directory);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async directoryResponse(directory) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.directory_response(directory));
   }
-  newAccountRequest(previousNonce) {
-    try {
-      return this.#enrollment.new_account_request(previousNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newAccountRequest(previousNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_account_request(previousNonce));
   }
-  newAccountResponse(account) {
-    try {
-      return this.#enrollment.new_account_response(account);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newAccountResponse(account) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_account_response(account));
   }
-  newOrderRequest(previousNonce) {
-    try {
-      return this.#enrollment.new_order_request(previousNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newOrderRequest(previousNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_order_request(previousNonce));
   }
-  newOrderResponse(order) {
-    try {
-      return this.#enrollment.new_order_response(order);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newOrderResponse(order) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_order_response(order));
   }
-  newAuthzRequest(url, previousNonce) {
-    try {
-      return this.#enrollment.new_authz_request(url, previousNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newAuthzRequest(url, previousNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_authz_request(url, previousNonce));
   }
-  newAuthzResponse(authz) {
-    try {
-      return this.#enrollment.new_authz_response(authz);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newAuthzResponse(authz) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_authz_response(authz));
   }
-  createDpopToken(expirySecs, backendNonce) {
-    try {
-      return this.#enrollment.create_dpop_token(expirySecs, backendNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async createDpopToken(expirySecs, backendNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.create_dpop_token(expirySecs, backendNonce));
   }
-  newDpopChallengeRequest(accessToken, previousNonce) {
-    try {
-      return this.#enrollment.new_dpop_challenge_request(accessToken, previousNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newDpopChallengeRequest(accessToken, previousNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_dpop_challenge_request(accessToken, previousNonce));
   }
-  newOidcChallengeRequest(idToken, previousNonce) {
-    try {
-      return this.#enrollment.new_oidc_challenge_request(idToken, previousNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newDpopChallengeResponse(challenge) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_dpop_challenge_response(challenge));
   }
-  newChallengeResponse(challenge) {
-    try {
-      return this.#enrollment.new_challenge_response(challenge);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newOidcChallengeRequest(idToken, refreshToken, previousNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_oidc_challenge_request(idToken, refreshToken, previousNonce));
   }
-  checkOrderRequest(orderUrl, previousNonce) {
-    try {
-      return this.#enrollment.check_order_request(orderUrl, previousNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async newOidcChallengeResponse(cc, challenge) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.new_oidc_challenge_response(cc.inner(), challenge));
   }
-  checkOrderResponse(order) {
-    try {
-      return this.#enrollment.check_order_response(order);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async checkOrderRequest(orderUrl, previousNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.check_order_request(orderUrl, previousNonce));
   }
-  finalizeRequest(previousNonce) {
-    try {
-      return this.#enrollment.finalize_request(previousNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async checkOrderResponse(order) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.check_order_response(order));
   }
-  finalizeResponse(finalize) {
-    try {
-      return this.#enrollment.finalize_response(finalize);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async finalizeRequest(previousNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.finalize_request(previousNonce));
   }
-  certificateRequest(previousNonce) {
-    try {
-      return this.#enrollment.certificate_request(previousNonce);
-    } catch (e) {
-      throw CoreCryptoError.fromStdError(e);
-    }
+  async finalizeResponse(finalize) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.finalize_response(finalize));
+  }
+  async certificateRequest(previousNonce) {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.certificate_request(previousNonce));
+  }
+  async getRefreshToken() {
+    return await CoreCryptoError.asyncMapErr(this.#enrollment.get_refresh_token());
   }
 }
 var E2eiConversationState;
 (function(E2eiConversationState2) {
   E2eiConversationState2[E2eiConversationState2["Verified"] = 1] = "Verified";
-  E2eiConversationState2[E2eiConversationState2["Degraded"] = 2] = "Degraded";
+  E2eiConversationState2[E2eiConversationState2["NotVerified"] = 2] = "NotVerified";
   E2eiConversationState2[E2eiConversationState2["NotEnabled"] = 3] = "NotEnabled";
 })(E2eiConversationState || (E2eiConversationState = {}));
 export {